A clone (of the basic core) of AFL fuzzer
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
NaFlCore
PinTool
.gitignore
README.md

README.md

NaFl

FAQ

  • Why NaFl?

    • NaFl means sarcastically: "It is totally Not AFL"
    • NOTE: when I say AFL, I mean AFL v.0.1 alpha ;)
  • What is it?

    • It is a prototype of a code coverage fuzzer. I wanted to have something like AFL to use in Windows. Unfortunately everything looked very *NIX centric (AFAIK) so I decided to implement the core principles from the ground up (and learned something on the way)

    • It leverages dynamic binary instrumentation (DBI) to measure code coverage in blackbox Windows binaries.

      • "Fun" fact: adding support for Intel PIN to AFL was actually my original research project but mothran beat me to it, see his (her?) fantastic work here
      • NaFl can be thought as this with some Python core implementing a simple fuzzing logic
  • Why does the code suck so much?

    • Don't let physicists do computer science. Or anything else for that matter :)

Installation

NaFl is written in Python (Core) and C/C++ (the DBI core). Most of the installation is straightforward:

  • Clone the project

  • There are two major directories:

    • NaFlCore: nothing to do here at installation time
    • PinTool: contains a single file "MyPinTool.cpp"
    • Compiling your own PinTool is kind of a pain so most of the people I know use this little trick:
      • cd to Pin_directory\source\tools\MyPinTool
      • Overwrite the MyPinTool.cpp file with yours
      • Open the project in Visual Studio (I used VS Community 2013, very recommended to use this one)
      • Build the project
        • NOTE: if you get errors complaining about SafeSEH just deactivate it in the linker options.
        • Right click -> Properties -> Configuration Properties -> Linker -> All Options
        • Search for "Image Has Safe Exception Handlers" and set it to "NO (/SAFESEH: NO)"
      • Move the resulting DLL to a directory of your choice (you can rename it as well)
  • That should do it.

Dependencies

  • Python 2.7.x (grab it here)

    • Recommended Python 2.7.9+ (includes pip)
  • Intel PIN (download it here)

These Python modules are part of the client's core:

  • Winappdbg (pip install winappdbg)
    • This is awesome sauce, check more here
  • SQLAlchemy (pip install sqlalchemy)

The following Python modules are needed for the server:

  • Tornado (pip install tornado)
  • Twisted (pip install twisted)

Running

Once currently installed, running is pretty straightforward.

  • Run the server for collecting information and crash files

    • python server\xmlrpc-server.py
  • Edit the config file

    • Location of PIN and the corresponding PinTool
    • Location of the victim binary to analyze
  • Run the core

    • python NaFlCore.py

Tested on

At this moment NaFl has been tested in the following configurations:

  • Windows 7 x64

Future Enhancements

SO MANY…

  • Regularly evaluate the quality of mutations in the queue

    • Remove ones not yielding anything interesting in a long time?
    • Trim mutations?
  • Static analysis of the victim binary itself

    • Cannibalize strings
    • Check proximity to str(n)cmp and alike…
  • Pre-analysis of the samples

    • Find high entropy regions (uninteresting)
    • Find ASCII regions
    • Compare samples to find fixed tokens (PNG, etc.)

Thanks

This was done during my work time and therefore paid by my current employer, Siemens AG

Yes we do more than washing machines! ;)

Thanks for allowing this public release.